- From: Dave Longley <dlongley@digitalbazaar.com>
- Date: Wed, 21 Mar 2018 11:49:35 -0400
- To: Dennis Yurkevich <dennis@mediaiqdigital.com>, =Drummond Reed <drummond.reed@evernym.com>
- Cc: "Jordan, John CITZ:EX" <John.Jordan@gov.bc.ca>, "public-credentials@w3.org" <public-credentials@w3.org>
On 03/21/2018 05:41 AM, Dennis Yurkevich wrote: > Thank you Drummond and John for your replies. > > I understand the concept and benefits of DID auth, however I am more > thinking of how this can be implemented in the short term as websites > will not (most likely) switch over from current auth workflow to DIDs > all at once, and they will want to cater for users who do not have > capability to authorise using DIDs. > > But lets say I am using my mobile device on which I have stored my > /privK/, to authenticate on a website. If we say take the uPort approach > and show a QR code to facilitate this - what happens if I shutdown my > browser (accidentally) and want to log back in? Does this group feel > that implementers will still be forced to use session cookies? > > And the second question still stands, many people are using cookie based > tracking and analysis in their apps - what do you envisage companies > such as this with no direction user interaction would do? > > I think these are important questions (and many more) when we think > about the DID auth spec to ensure we capture real world use cases in > such a way adoption possibility is increased. It's very important that there's a clear, progressive, upgrade path to using DIDs to authenticate on websites. We also want DID-based authentication to play nicely with other mechanisms and APIs that websites are already using or plan to use. The Credential Handler API was designed with these things in mind: https://github.com/w3c-ccg/credential-handler-api There is a video and demo linked from that site of the Credential Handler API that shows a more traditional flow and where DID-auth can fit into it: https://credential-repository.demo.digitalbazaar.com/ https://www.youtube.com/watch?v=bm3XBPB4cFY The Credential Handler API can be used to merely authenticate as the entity controlling a particular DID or you can provide additionally requested Verifiable Credentials. Once "logged in" a cookie could be set to track the DID used to authenticate. I think, yes, websites will continue to use cookies for session tracking in the near term. Another route for potentially replacing cookies for session handling is Token Binding: https://tools.ietf.org/html/draft-ietf-tokbind-https-12 https://tools.ietf.org/html/draft-ietf-tokbind-protocol-16 Which is already implemented in Chrome (behind a flag). We may see some DID integration (in some manner or another) with this tech. It's also very important to remember that whatever technology gets built to address DID-based auth, it needs to work in a way that the browser vendors are willing to adopt or such that it sees massive adoption on its own -- or it will go nowhere. This means understanding and working within the existing Web ecosystem. > > Best, > Dennis > > On Wed, Mar 21, 2018 at 4:38 AM, =Drummond Reed > <drummond.reed@evernym.com <mailto:drummond.reed@evernym.com>> wrote: > > +1 to John's reply. DIDs essentially inverse the traditional cookie > relationship, i.e., rather than a site handing you a cookie (over > which you have no control other than to delete it), you hand the > site a DID. Because you control the private key, you can always > prove control of that DID. You can even rotate the public/private > key pair associated with the DID and still prove control. > > That's why they are sea change in both identification > and authentication (and, in conjunction with verifiable credentials, > in authorization as well). > > =D > > On Tue, Mar 20, 2018 at 5:08 AM, Jordan, John CITZ:EX > <John.Jordan@gov.bc.ca <mailto:John.Jordan@gov.bc.ca>> wrote: > > Hi Dennis > > There are deeper experts here however my thinking is there is no > more “remember me” as there will no longer be a “login”. One > will simply connect to a service at which point DID Auth will > occur. You will already be authenticated via the device you are > using to control your private keys. Ideally DIDs are pairwise > unique so I guess a site could use your DID for preferences and > so forth. > > Remember me and cookies a hack to solve user experience issues > around user logon and sessions. > > Not sure what to say about tracking. I think there needs to be > consent and withdrawal of consent at least :) ... maybe DIDs can > help with user control of consent. > > J > > On Mar 20, 2018, at 05:06, Dennis Yurkevich > <dennis@mediaiqdigital.com > <mailto:dennis@mediaiqdigital.com><mailto:dennis@mediaiqdigital.com > <mailto:dennis@mediaiqdigital.com>>> wrote: > > Hello All, > > I have quite a general question on which I am yet to find an > answer anywhere on the github repo. > > How does this group see DIDs and specifically DID Auth > interacting with traditional browser cookies, specifically my > questions are: > > * If a user checks the "remember me" button on a site which > uses DID Auth, what would be the implementation flow? > * In the scenarios where a site uses various third party > analytics systems which set tracking cookies, is there a better > way to do this using DIDs? > > Thanks! > Dennis > > -- > [Vital Design]<http://www.mediaiqdigital.com/ > <http://www.mediaiqdigital.com/>> > Dennis Yurkevich > > 5th Floor | High Holborn House | 52-54 High Holborn | London | > WC1V 6RL > <https://maps.google.com/?q=52-54+High+Holborn+%7C+London+%7C+WC1V+6RL&entry=gmail&source=g> > dennis@mediaiqdigital.com > <mailto:dennis@mediaiqdigital.com><mailto:dennis@mediaiqdigital.com > <mailto:dennis@mediaiqdigital.com>> > tel +44 (0)20 700 0420 | mobile +44 (0) 7794 597783 > <tel:%2B44%20%280%29%207794%20597783> > [Twitter]<http://www.mediaiqdigital.com > <http://www.mediaiqdigital.com>> [Blog] > <https://www.facebook.com/MediaiQDigital > <https://www.facebook.com/MediaiQDigital>> [Facebook] > <https://twitter.com/mediaiqdigital > <https://twitter.com/mediaiqdigital>> [LinkedIn] > <https://www.instagram.com/mediaiqdigital > <https://www.instagram.com/mediaiqdigital>> [Foursquare] > <https://www.linkedin.com/company/media-iq-digital-ltd > <https://www.linkedin.com/company/media-iq-digital-ltd>> > [Pinterest] > <http://www.mediaiqdigital.com/inspirethroughinsights > <http://www.mediaiqdigital.com/inspirethroughinsights>> > > Disclaimer: This email and its attachments may be confidential > and are intended solely for the use of the individual to whom it > is addressed. Any views or opinions expressed are solely those > of the author and do not necessarily represent those of Media iQ > Digital Limited. If you are not the intended recipient of this > email and its attachments, you must take no action based upon > them, nor must you copy or show them to anyone. No contracts or > official orders shall be concluded by means of this email. > Please contact the sender if you believe you have received this > e-mail in error. > > Media iQ Digital Limited is a company registered in England and > Wales | Company Number 07321732 | VAT No: GB995910763 > > > > > > -- > Vital Design <http://www.mediaiqdigital.com/> > Dennis Yurkevich > 5th Floor | High Holborn House | 52-54 High Holborn | London | WC1V 6RL > dennis@mediaiqdigital.com <mailto:dennis@mediaiqdigital.com> > tel +44 (0)20 700 0420 | mobile +44 (0) 7794 597783 > Twitter <http://www.mediaiqdigital.com> Blog > <https://www.facebook.com/MediaiQDigital> Facebook > <https://twitter.com/mediaiqdigital> LinkedIn > <https://www.instagram.com/mediaiqdigital> Foursquare > <https://www.linkedin.com/company/media-iq-digital-ltd> Pinterest > <http://www.mediaiqdigital.com/inspirethroughinsights> > *Disclaimer: *This email and its attachments may be confidential and are > intended solely for the use of the individual to whom it is addressed. > Any views or opinions expressed are solely those of the author and do > not necessarily represent those of Media iQ Digital Limited. If you are > not the intended recipient of this email and its attachments, you must > take no action based upon them, nor must you copy or show them to > anyone. No contracts or official orders shall be concluded by means of > this email. Please contact the sender if you believe you have received > this e-mail in error. > > Media iQ Digital Limited is a company registered in England and Wales | > Company Number 07321732 | VAT No: GB995910763 > -- Dave Longley CTO Digital Bazaar, Inc.
Received on Wednesday, 21 March 2018 15:50:09 UTC